Keep up to date with us

We update our blog with regular posts to keep you up to speed on the world of B2B data.

BREAKING NEWS: WP29 issues guidance on consent, ICO will be next

Posted on 14/12/2017 at 13:55By Corpdata

Many people have been waiting for the Information Commissioners Office to issue guidance on consent. However, the ICO have needed to wait for Working Party 29 to issue their guidance. That's beca…
GDPR breaking news

Guidance on consent under GDPR

Many people have been waiting for the Information Commissioners Office to issue guidance on consent. However, the ICO have needed to wait for Working Party 29 to issue their guidance. That's because GDPR is a Regulation, there is no scope for interpretation, not even by the UK regulator! It is to be interpreted the same everywhere.

Good news! WP29 guidance was published yesterday. This means the ICO can now issue theirs. However, we would suggest you don't wait for the ICO guidance, after all it must say roughly the same as the WP29 version - Article 63 and indeed all of Chapter 7 of GDPR specifically says that all supervisory authorities must interpret things the same way - in fact that's the point of WP29 and also GDPR itself. We have rushed together a video telling you all about the key things you need to know from the guidance.

At Corpdata we have always been sceptical about the wisdom of using consent, and we have been quite outspoken. In October Newsletter we observed consent is being over-hyped, and in a mid-month update we highlighted the logical implausibility of transferring consent from a list owner to a licensee of the data. We also took issue with the DMA about their 'GDPR Checklist' guidance leading people to think consent will be transferable.

It turns out we judged it correctly! In section 3.3.1. Minimum content requirements for consent to be ‘informed’, WP29 says:

if the data is to be transferred to or processed by other controllers who wish to rely on the original consent, these organisations should all be named.

For third party lists, CONSENT WILL NOT BE VALID!

You are responsible

Don't forget, as we have said previously, GDPR says you are responsible for demonstrating you have complied with the law.

If your data supplier has been promising you can use their data on the basis of consent, they have been flat-out misleading you! Now, to be fair, no-one has told them what to do, they have been waiting for guidance too, but what poor judgement! These suppliers should be experts in the field. They should at least care about preventing their customers breaking the law, don't you think? Maybe all that was important to them was making a quick sale?

As we previously mentioned, we are genuinely concerned, and were continually a bit peeved when we heard our customers were being misled by unscrupulous dealers!

Moving on, Article 13(1)(c) of GDPR says you must tell the data subject at the time the data is collected, the legal basis for processing. So, these data suppliers have been telling people the legal basis is consent. What are the implications of changing the legal basis? The data collected on the basis of consent is not valid for use under legitimate interest, unless each data subject is informed of the new legal basis. So if you process this data, you will be doing so unlawfully, and probably be breaching GDPR with all the consequences that may have!

So if you hear of data suppliers doing a quick 'volte-face' and suddenly talking about 'legitimate interest' (the only way you can legally use third party lists by the way), we'd suggest you don't touch them with a barge-pole!

Do your due-diligence. We have made a list of Due Diligence Questions to ask Data Suppliers.

Here is one extra question which you should ask too:

Has every data subject been informed their data is processed on the basis of legitimate interest or consent?

Just in case this all seems a bit pernickety, The very last paragraph of the WP29 guidance document says:

Under the GDPR, it is not possible to swap between one lawful basis and another.

In the first paragraph of section 6, it spells it our in black and white (it's a long quote, but go with it):

The lawful basis cannot be modified in the course of processing. Hence, the controller cannot swap between lawful bases. For example, it is not allowed to retrospectively utilise the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent. Therefore, under the GDPR, controllers that ask for a data subject’s consent to the use of personal data shall in principle not be able to rely on the other lawful bases in Article 6 as a “back-up”, either when they cannot demonstrate that GDPR-compliant consent has been given by a data subject or if valid consent is subsequently withdrawn. Because of the requirement to disclose the lawful basis which the controller is relying upon at the time of collection of personal data, controllers must have decided in advance of collection what the applicable lawful basis is.

Thankfully there is no ambiguity there then!

The safe option

At Corpdata we didn't wait for guidance. Ever since the first draft of GDPR came out we have been studying it, we have adjusted our procedures and processes, not only to comply with the law, but also, as far as possible, to ensure you also comply, by accident. We have a video telling you of the Changes Corpdata has Made. We have researched all the data we make available on the basis of legitimate interest, and it is that legal basis upon which we supply it to you.

When it comes to GDPR, choosing a supplier who demonstrates good judgement is important. Corpdata has always offered business data you can trust. You can also trust us to have thought about how to keep you safe.

If you want to be sure you comply with the law, trust Corpdata!